Cisco
--
Questions
--
Followers
Top Experts
Cisco ASA 5505 to Draytek Vigor 2700 tunnel: IKE failure
I want a permanent VPN IPsec tunnel between office and home LANs. And the regular NAT-route to the Internet for both sites.
Office: Cisco ASA 5505 (v8.0), connected to a Thomson Speedtouch DSL modem (bridged)
WAN: 82.X.X.56 Â LAN: 192.168.1.0/24
Home: Draytek Vigor 2700G VPN-router/DSL-modem
WAN: 82.X.X.48 Â LAN: 192.168.2.0/24
So far I can't get the tunnel to connect. Looks to me like IKE phase 2 times out. (Getting a QM FSM error EV_TIMEOUT - QM_WAIT_MSG2). See debug log below of an attempt to open the tunnel from the Cisco LAN side by typing the remote address 192.168.2.200 address in the browser.
The Draytek has no command to dump its configuration to a terminal. It has a single VPN LAN-LAN. Direction set to both. PFS is disabled AFAIK, not sure if the Cisco uses it. Tried several lifetime values.
Some help would be much appreciated. I'm an EE-newbie, so excuse me if I did not submit this question in a proper manner.
Office: Cisco ASA 5505 (v8.0), connected to a Thomson Speedtouch DSL modem (bridged)
WAN: 82.X.X.56 Â LAN: 192.168.1.0/24
Home: Draytek Vigor 2700G VPN-router/DSL-modem
WAN: 82.X.X.48 Â LAN: 192.168.2.0/24
So far I can't get the tunnel to connect. Looks to me like IKE phase 2 times out. (Getting a QM FSM error EV_TIMEOUT - QM_WAIT_MSG2). See debug log below of an attempt to open the tunnel from the Cisco LAN side by typing the remote address 192.168.2.200 address in the browser.
The Draytek has no command to dump its configuration to a terminal. It has a single VPN LAN-LAN. Direction set to both. PFS is disabled AFAIK, not sure if the Cisco uses it. Tried several lifetime values.
Some help would be much appreciated. I'm an EE-newbie, so excuse me if I did not submit this question in a proper manner.
Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host outside:192.168.2.200
Aug 28 2009 15:25:31: %ASA-7-609002: Teardown local-host outside:192.168.2.200 duration 0:00:00
Aug 28 2009 15:25:31: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Aug 28 2009 15:25:31: %ASA-5-713041: IP = 82.X.X.56, IKE Initiator: New Phase 1, Intf inside, IKE Peer 82.X.X.56 local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing ISAKMP SA payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing Fragmentation VID + extended capabilities payload
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 96
Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host NP Identity Ifc:82.X.X.48
Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host outside:82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 92
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing SA payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Oakley proposal is acceptable
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing VID payload
Aug 28 2009 15:25:31: %ASA-7-715049: IP = 82.X.X.56, Received DPD VID
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing ke payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing nonce payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing Cisco Unity VID payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing xauth V6 VID payload
Aug 28 2009 15:25:31: %ASA-7-710005: UDP request discarded from 192.168.1.14/137 to inside:192.168.1.255/137
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing ke payload
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing ISA_KE payload
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing nonce payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Connection landed on tunnel_group 82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Generating keys for Initiator...
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing ID payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing hash payload
Aug 28 2009 15:25:31: %ASA-7-715076: Group = 82.X.X.56, IP = 82.X.X.56, Computing hash for ISAKMP
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing ID payload
Aug 28 2009 15:25:31: %ASA-7-714011: Group = 82.X.X.56, IP = 82.X.X.56, ID_IPV4_ADDR ID received
82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing hash payload
Aug 28 2009 15:25:31: %ASA-7-715076: Group = 82.X.X.56, IP = 82.X.X.56, Computing hash for ISAKMP
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing notify payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Connection landed on tunnel_group 82.X.X.56
Aug 28 2009 15:25:31: %ASA-4-713903: Group = 82.X.X.56, IP = 82.X.X.56, Freeing previously allocated memory for authorization-dn-attributes
Aug 28 2009 15:25:31: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Oakley begin quick mode
Aug 28 2009 15:25:31: %ASA-7-714002: Group = 82.X.X.56, IP = 82.X.X.56, IKE Initiator starting QM: msg id = 7cd21e66
Aug 28 2009 15:25:31: %ASA-3-713119: Group = 82.X.X.56, IP = 82.X.X.56, PHASE 1 COMPLETED
Aug 28 2009 15:25:31: %ASA-7-713121: IP = 82.X.X.56, Keep-alive type for this connection: DPD
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xeb7f9659
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x1dff14a6
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xb80677fa
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x013a27ca
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf1afd6e9
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xa77233a3
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x13fd9936
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf61bd0d2
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf4cf9c91
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x5e3604e1
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, oakley constucting quick mode
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing IPSec SA payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing IPSec nonce payload
Aug 28 2009 15:25:31: %ASA-7-715001: Group = 82.X.X.56, IP = 82.X.X.56, constructing proxy ID
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Transmitting Proxy Id:
Local subnet: 192.168.1.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 192.168.2.0 Mask 255.255.255.0 Protocol 0 Port 0
Aug 28 2009 15:25:31: %ASA-7-714007: Group = 82.X.X.56, IP = 82.X.X.56, IKE Initiator sending Initial Contact
Aug 28 2009 15:26:01: %ASA-7-715036: Group = 82.X.X.56, IP = 82.X.X.56, Sending keep-alive of type DPD R-U-THERE (seq number 0xc24fa5f)
Aug 28 2009 15:26:01: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:26:01: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing qm hash payload
Aug 28 2009 15:26:01: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE SENDING Message (msgid=732b2f98) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 28 2009 15:26:03: %ASA-3-713902: Group = 82.X.X.56, IP = 82.X.X.56, QM FSM error (P2 struct &0xd4b00b60, mess id 0x7cd21e66)!
Aug 28 2009 15:26:03: %ASA-7-715065: Group = 82.X.X.56, IP = 82.X.X.56, IKE QM Initiator FSM error history (struct &0xd4b00b60) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Aug 28 2009 15:26:03: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, sending delete/delete with reason message
Aug 28 2009 15:26:03: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:26:03: %ASA-1-713900: Group = 82.X.X.56, IP = 82.X.X.56, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
=== packet trace for port 500 ===
11 packets captured
1: 15:28:26.281067 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 96
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 96
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 44
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 32
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 24
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex): ...
2: 15:28:26.311064 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500: udp 92
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 92
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 44
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 32
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 24
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex): ...
3: 15:28:26.311064 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 256
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 256
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data: ...
Payload Nonce
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data: ...
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex): ...
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 12
Data (In Hex): ...
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
...
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
...
4: 15:28:26.971141 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500: udp 180
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Key Exchange
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 180
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
...
Payload Nonce
Next Payload: None
Reserved: 00
Payload Length: 20
Data:
...
5: 15:28:26.971141 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 84
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 84
6: 15:28:27.001190 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500: udp 92
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Identification
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (Encryption)
MessageID: 00000000
Length: 92
7: 15:28:27.022002 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 652
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 72C4EA2C
Length: 652
8: 15:28:35.022414 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 652
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 72C4EA2C
Length: 652
9: 15:28:43.023634 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 652
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 72C4EA2C
Length: 652
10: 15:28:51.040479 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 652
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 72C4EA2C
Length: 652
11: 15:28:59.041700 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500: udp 84
ISAKMP Header
Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
Responder COOKIE: ff ac 06 b5 6e c4 89 23
Next Payload: Hash
Version: 1.0
Exchange Type: Informational
Flags: (Encryption)
MessageID: D8B67129
Length: 84
11 packets shown
=== running-config ===
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.96 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone GMT 0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool RApool1 192.168.1.80-192.168.1.89 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 192.168.2.0 255.255.255.0 82.X.X.56 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 82.X.X.56 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 82.X.X.56
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime none
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 outside
ssh 82.X.X.56 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.97-192.168.1.128 inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
ntp server 213.10.47.241 source outside prefer
webvpn
enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.7
vpn-tunnel-protocol l2tp-ipsec
default-domain value hq.example.org
group-policy DfltGrpPolicy attributes
webvpn
url-list value bookmark1
username vpncl1 password xxxxxxxxx encrypted privilege 0
username vpncl1 attributes
vpn-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool RApool1
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group muhq type remote-access
tunnel-group 82.X.X.56 type ipsec-l2l
tunnel-group 82.X.X.56 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 2
prompt hostname context
Cryptochecksum:4219a112d25dbbe9ebd1789ff29ce459
: end
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
whats the firmware version on your draytek ?
2700 is a dialout only ; it should initiate the connection (i am sure you would already knew that but just in-case)
check your country specific draytek website for the latest firmware upgrade.
have you got a slow link at your home ? some times IKE timeouts relate to that as well
you can run draytek syslog utility found in router tools and capture the vpn transaction on draytek side as well.
Â
2700 is a dialout only ; it should initiate the connection (i am sure you would already knew that but just in-case)
check your country specific draytek website for the latest firmware upgrade.
have you got a slow link at your home ? some times IKE timeouts relate to that as well
you can run draytek syslog utility found in router tools and capture the vpn transaction on draytek side as well.
Â
Hello Sir!
According to the configuration I assume that this side has a dynamic IP, and it means that you are implementing a dynamic to static connection, right? In this topology only the ASA side could trigger the traffic for the tunnel negotiation. And the Draytek Vigor 2700 should support this kind of tunnels....
1. Which is the IP address of the OUTSIDE IP of the ASA?
2. It is passing through a NAT?
I noticed a couples of details in the LOGS information.
Aug 28 2009 15:25:31: %ASA-3-713119: Group = 82.X.X.56, IP = 82.X.X.56, PHASE 1 COMPLETED
--> ISAKMP/IKE pahse is OK
Aug 28 2009 15:26:03: %ASA-1-713900: Group = 82.X.X.56, IP = 82.X.X.56, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
--> VPn traffic is not matching
Anyway the problems seems to be related to phase 2, please double check that all the parameters are matching.
-Usage of PFS
-Vpn traffic (interesting traffic)
- Same encryption and hash for phase 2.
According to the configuration I assume that this side has a dynamic IP, and it means that you are implementing a dynamic to static connection, right? In this topology only the ASA side could trigger the traffic for the tunnel negotiation. And the Draytek Vigor 2700 should support this kind of tunnels....
1. Which is the IP address of the OUTSIDE IP of the ASA?
2. It is passing through a NAT?
I noticed a couples of details in the LOGS information.
Aug 28 2009 15:25:31: %ASA-3-713119: Group = 82.X.X.56, IP = 82.X.X.56, PHASE 1 COMPLETED
--> ISAKMP/IKE pahse is OK
Aug 28 2009 15:26:03: %ASA-1-713900: Group = 82.X.X.56, IP = 82.X.X.56, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
--> VPn traffic is not matching
Anyway the problems seems to be related to phase 2, please double check that all the parameters are matching.
-Usage of PFS
-Vpn traffic (interesting traffic)
- Same encryption and hash for phase 2.
As geergon have pointed out about the dynamic ip address at vigor 2700 side, you can use dyndns to map a hostname to your dynamic ip ; vigor allows that to do ; if you look around in your vigor settings there shud be an option to use dyndns or some other dynamic dns services ; it should be under Applications on your vigor management page.
www.dyndns.com
www.dyndns.com
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
@ mutahir:
Thanks for your comment!
The Draytek is a model 2700V (Annex B), module 2S1L
(NOTa 2700G as I said in the question, sorry)
Firmware Version  : 2.6.2_131812
Build Date/Time  : Jun 14 2006 14:34:33
2.6.2 is the latest version according to their website. Although the build date doesn't match with the relnotes on the site. Not quite clear, there are several 2700 models with different hardware. At least it has got some firmware revisions. A little risky to flash other firmware if the version nr is the same.
The ADSL link is fast enough (1.5Mbps down, 256kbps up), at the office it's 2M/512k.
I did capture the Draytek syslog on a Linux server at home. See the code snippet below with the syslog of Local3 category. Â It's suspect that it gives the PAP Login OK (PPPoA) with the timestamp reset to Jan 1. Looks as if it resets itself! The PAP Login must be the DSL reconnect, right? Or is it a bug that they don't put the right timestamp in the PAP message.
Don't know whether it is possible to get detailed logging of the IKE protocol from the Draytek.
I don't believe the 2700V is dial-out only. In the LAN-to-LAN profile it lets me choose beween Dial in, Dial out or Both. I chose Both. No keepalive set. No Always On flag set.
I would like each end to be able to reestablish the tunnel if it gets disconnected.
I will post the Draytek screenshots of the VPN settings later.
Thanks for your comment!
The Draytek is a model 2700V (Annex B), module 2S1L
(NOTa 2700G as I said in the question, sorry)
Firmware Version  : 2.6.2_131812
Build Date/Time  : Jun 14 2006 14:34:33
2.6.2 is the latest version according to their website. Although the build date doesn't match with the relnotes on the site. Not quite clear, there are several 2700 models with different hardware. At least it has got some firmware revisions. A little risky to flash other firmware if the version nr is the same.
The ADSL link is fast enough (1.5Mbps down, 256kbps up), at the office it's 2M/512k.
I did capture the Draytek syslog on a Linux server at home. See the code snippet below with the syslog of Local3 category. Â It's suspect that it gives the PAP Login OK (PPPoA) with the timestamp reset to Jan 1. Looks as if it resets itself! The PAP Login must be the DSL reconnect, right? Or is it a bug that they don't put the right timestamp in the PAP message.
Don't know whether it is possible to get detailed logging of the IKE protocol from the Draytek.
I don't believe the 2700V is dial-out only. In the LAN-to-LAN profile it lets me choose beween Dial in, Dial out or Both. I chose Both. No keepalive set. No Always On flag set.
I would like each end to be able to reestablish the tunnel if it gets disconnected.
I will post the Draytek screenshots of the VPN settings later.
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:20:46 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:20:46 my.router Vigor: sent MR3, ISAKMP SA established with 82.X.X.48
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:25:31 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:25:31 my.router Vigor: sent MR3, ISAKMP SA established with 82.X.X.48
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:28:25 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:28:25 my.router Vigor: sent MR3, ISAKMP SA established with 82.161.98.48
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:39:53 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:39:53 my.router Vigor: sent MR3, ISAKMP SA established with 82.161.98.48
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Jan 1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
The screenshots with the Draytek config
DraytekConfig1.jpg
DraytekConfig2.jpg
DraytekConfig3.jpg
DraytekConfig4.jpg
DraytekConfig1.jpg
DraytekConfig2.jpg
DraytekConfig3.jpg
DraytekConfig4.jpg
The ISP guarantees a fixed public IP addresses at both sites. It's just that I left the Cisco at the default setting getting it's outside IP from the ISP's DHCP. It's an *Adaptive* Security Appliance, you know! :-)
OK I will fix the outside address, but that's not the problem here.
OK I will fix the outside address, but that's not the problem here.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side!
under remote gateway specify the public static from where the request is coming
Set the Always ON value to 0 seconds in draytek config 1 screenshot
then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction
@geergon:
Thanks for replying.
The outside address of the Cisco is 82.X.X.56 as said in the original post. There is no NAT or other router  in between; the ASA is connected to the modem, which is in bridged mode, with a permanent DSL connection. The ASA gets its outside IP and gateway from the ISP's DHCP service.
IKE Phase 1 completes OK, Phase 2 does not!
The Quick Mode negotiation fails IMO. See the FSM error. It looks like a timeout. I'm not familiar with the ASA details. I thought that PFS might be the problem. I turned it off in the Draytek. And I thought it is also off in the Cisco (can you check this please in the config listing, I'm not that familiar with the layering and the defaults of the Cisco settings).
Thanks for replying.
The outside address of the Cisco is 82.X.X.56 as said in the original post. There is no NAT or other router  in between; the ASA is connected to the modem, which is in bridged mode, with a permanent DSL connection. The ASA gets its outside IP and gateway from the ISP's DHCP service.
IKE Phase 1 completes OK, Phase 2 does not!
The Quick Mode negotiation fails IMO. See the FSM error. It looks like a timeout. I'm not familiar with the ASA details. I thought that PFS might be the problem. I turned it off in the Draytek. And I thought it is also off in the Cisco (can you check this please in the config listing, I'm not that familiar with the layering and the defaults of the Cisco settings).
In the packet capture the following packet is sent by the Cisco to the Draytek.
  7: 15:28:27.022002 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
   ISAKMP Header
    Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
    Responder COOKIE: ff ac 06 b5 6e c4 89 23
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 72C4EA2C
    Length: 652
It apparently gets no response. After repeating the message 3 times with 8-second intervals, the Cisco finally gives up. Thats how I see it.
Some expert with thorough knowledge of the protocol might be able to indicate whats wrong.
Also it would be interesting if someone else with the same equipment has an IPsec/ESP tunnel working reliably and could post me the settings.
  7: 15:28:27.022002 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
   ISAKMP Header
    Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
    Responder COOKIE: ff ac 06 b5 6e c4 89 23
    Next Payload: Hash
    Version: 1.0
    Exchange Type: Quick Mode
    Flags: (Encryption)
    MessageID: 72C4EA2C
    Length: 652
It apparently gets no response. After repeating the message 3 times with 8-second intervals, the Cisco finally gives up. Thats how I see it.
Some expert with thorough knowledge of the protocol might be able to indicate whats wrong.
Also it would be interesting if someone else with the same equipment has an IPsec/ESP tunnel working reliably and could post me the settings.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
@mutahir:
>>Â in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side! <<
>>Â under remote gateway specify the public static from where the request is coming <<
No, these fields are only for PPTP and L2TP links. Explanation from the Vigor manual:
My WAN IP: Â This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a PPP IP address from
the remote router during the IPCP negotiation phase. If the PPP
IP address is fixed by remote side, specify the fixed IP address
here.
Remote Gateway IP: This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a remote Gateway PPP
IP address from the remote router during the IPCP negotiation
phase. If the PPP IP address is fixed by remote side, specify the
fixed IP address here.
But entering these addresses won't harm, I will try it.
>>Â Set the Always ON value to 0 seconds in draytek config 1 screenshot <<
Why? Do you assume 0 seconds will mean infinite? (If I check the Always On flag, the value changes to
 -1!  A value of 0 might imply an immediate timeout.
But I'll try.
>>Â then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction <<
Ok, thanks for your thoughts, I'll try them out and report back.
>>Â in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side! <<
>>Â under remote gateway specify the public static from where the request is coming <<
No, these fields are only for PPTP and L2TP links. Explanation from the Vigor manual:
My WAN IP: Â This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a PPP IP address from
the remote router during the IPCP negotiation phase. If the PPP
IP address is fixed by remote side, specify the fixed IP address
here.
Remote Gateway IP: This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a remote Gateway PPP
IP address from the remote router during the IPCP negotiation
phase. If the PPP IP address is fixed by remote side, specify the
fixed IP address here.
But entering these addresses won't harm, I will try it.
>>Â Set the Always ON value to 0 seconds in draytek config 1 screenshot <<
Why? Do you assume 0 seconds will mean infinite? (If I check the Always On flag, the value changes to
 -1!  A value of 0 might imply an immediate timeout.
But I'll try.
>>Â then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction <<
Ok, thanks for your thoughts, I'll try them out and report back.
Always ON means , as soon as the tunnel drops , it will initiate in 0 seconds
Â
Â
Agreed.
But the idle timeout value T indicates that if the Always On checkbox is NOT checked, the connection will be dropped after T seconds of no traffic. A value of 0 would theoretically mean that the connection is dropped immediately. If 0 is interpreted as infinite, that would be fine, but that could be set by the Always On flag.
However, Always On implies that the dial direction is Outbound. (it will set the radiobutton Dial Out automatically. I tried that, the Draytek is then continuously calling the Cisco.
But the idle timeout value T indicates that if the Always On checkbox is NOT checked, the connection will be dropped after T seconds of no traffic. A value of 0 would theoretically mean that the connection is dropped immediately. If 0 is interpreted as infinite, that would be fine, but that could be set by the Always On flag.
However, Always On implies that the dial direction is Outbound. (it will set the radiobutton Dial Out automatically. I tried that, the Draytek is then continuously calling the Cisco.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
... So for the first tests, a 3600 second idle timeout is. We'll first have to see the tunnel kept up for an hour.
@mutahir
Followed your tips. I am pleasantly surprised by the Draytek syslog tool!
However, your advice >>Â under remote gateway specify the public static from where the request is coming <<Â turned out not to be a good idea.
Although the manual says this setting is only used for PPTP and L2TP, it has the effect that I can't ping anymore from the home LAN to the Cisco at the office. Instead, when I ping the public office address 82.X.X.48, I see the Draytek trying to open a tunnel. This is wrong. The tunnel should only be built when pinging to the 192.168.1.x LAN !
Followed your tips. I am pleasantly surprised by the Draytek syslog tool!
However, your advice >>Â under remote gateway specify the public static from where the request is coming <<Â turned out not to be a good idea.
Although the manual says this setting is only used for PPTP and L2TP, it has the effect that I can't ping anymore from the home LAN to the Cisco at the office. Instead, when I ping the public office address 82.X.X.48, I see the Draytek trying to open a tunnel. This is wrong. The tunnel should only be built when pinging to the 192.168.1.x LAN !
WIth the Remote Gateway again set to 0.0.0.0, the behavior is better:
ping the office WAN address will echo back (no tunneling).
ping a office LAN address, and the DrayTek attempts building the tunnel
The Draytek syslog says:
 Dialing Node2 (mu6b_ipsec) : 82.X.X.48
 >>> Dial-up triggered by user : 192.168.2.101 ; proto=icmp, to 192.168.1.7
 Initiating IKE Main Mode to 82.X.X.48
So it is trying properly, but does not succeed to finish the tunnel to the Cisco.
ping the office WAN address will echo back (no tunneling).
ping a office LAN address, and the DrayTek attempts building the tunnel
The Draytek syslog says:
 Dialing Node2 (mu6b_ipsec) : 82.X.X.48
 >>> Dial-up triggered by user : 192.168.2.101 ; proto=icmp, to 192.168.1.7
 Initiating IKE Main Mode to 82.X.X.48
So it is trying properly, but does not succeed to finish the tunnel to the Cisco.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
After several hours of experimenting I've got FINALLY at least SOMETHING that works!!!
I changed the isakmp lifetime back to 86400 and the hash type to MD5 for both phase 1 and phase 2.
Now when calling from the Draytek  to the Cisco, also phase 2 completes.
The resulting SAs are:
ciscoasa(config)# show crypto isakmp sa detail
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 Â IKE Peer: 82.X.X.56
  Type   : L2L       Role   : responder
  Rekey  : no        State  : MM_ACTIVE
  Encrypt : 3des       Hash   : MD5
  Auth   : preshared    Lifetime: 86400
  Lifetime Remaining: 86060
ciscoasa(config)# show crypto ipsec sa detail
interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 82.X.X.48
   access-list outside_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
   current_peer: 82.X.X.56
   #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
   #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
   #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
   #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
   #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
   #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
   #pkts invalid prot (rcv): 0, #pkts verify failed: 0
   #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0
   #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
   #pkts replay failed (rcv): 0
   #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
   #pkts internal err (send): 0, #pkts internal err (rcv): 0
   local crypto endpt.: 82.X.X.48, remote crypto endpt.: 82.X.X.56
   path mtu 1500, ipsec overhead 58, media mtu 1500
   current outbound spi: EC76BB5F
  inbound esp sas:
   spi: 0x95386386 (2503500678)
     transform: esp-3des esp-md5-hmac none
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 118784, crypto-map: outside_map
     sa timing: remaining key lifetime (sec): 28423
     IV size: 8 bytes
     replay detection support: Y
  outbound esp sas:
   spi: 0xEC76BB5F (3967204191)
     transform: esp-3des esp-md5-hmac none
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 118784, crypto-map: outside_map
     sa timing: remaining key lifetime (sec): 28423
     IV size: 8 bytes
     replay detection support: Y
ciscoasa(config)#
Now I can start to explore the boundaries between what works and what doesn't...
I changed the isakmp lifetime back to 86400 and the hash type to MD5 for both phase 1 and phase 2.
Now when calling from the Draytek  to the Cisco, also phase 2 completes.
The resulting SAs are:
ciscoasa(config)# show crypto isakmp sa detail
  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 Â IKE Peer: 82.X.X.56
  Type   : L2L       Role   : responder
  Rekey  : no        State  : MM_ACTIVE
  Encrypt : 3des       Hash   : MD5
  Auth   : preshared    Lifetime: 86400
  Lifetime Remaining: 86060
ciscoasa(config)# show crypto ipsec sa detail
interface: outside
  Crypto map tag: outside_map, seq num: 1, local addr: 82.X.X.48
   access-list outside_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
   current_peer: 82.X.X.56
   #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
   #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
   #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
   #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
   #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
   #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
   #pkts invalid prot (rcv): 0, #pkts verify failed: 0
   #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0
   #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
   #pkts replay failed (rcv): 0
   #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
   #pkts internal err (send): 0, #pkts internal err (rcv): 0
   local crypto endpt.: 82.X.X.48, remote crypto endpt.: 82.X.X.56
   path mtu 1500, ipsec overhead 58, media mtu 1500
   current outbound spi: EC76BB5F
  inbound esp sas:
   spi: 0x95386386 (2503500678)
     transform: esp-3des esp-md5-hmac none
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 118784, crypto-map: outside_map
     sa timing: remaining key lifetime (sec): 28423
     IV size: 8 bytes
     replay detection support: Y
  outbound esp sas:
   spi: 0xEC76BB5F (3967204191)
     transform: esp-3des esp-md5-hmac none
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 118784, crypto-map: outside_map
     sa timing: remaining key lifetime (sec): 28423
     IV size: 8 bytes
     replay detection support: Y
ciscoasa(config)#
Now I can start to explore the boundaries between what works and what doesn't...
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Cisco
--
Questions
--
Followers
Top Experts
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).